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Abstract. Consider the Jacobian of a genus two curve defined over a finite 
field and with complex multiplication. In this paper we show that if the ^-Sylow 
subgroup of the Jacobian is not cyclic, then the embedding degree of the 
Jacobian with respect to £ is one. 



1. Introduction 

In elliptic curve cryptography it is essential to know the number of points on 
the curve. Cryptographically we are interested in elliptic curves with large cyclic 
subgroups. Such elliptic curves can be constructed. Th e construction is based o n 
the theory of complex multiplication, studied in detail by Atkin and Morain 1 1993l l. 
It is referred to as the CM method. 



Koblitd l|l989[ ) suggested the use of hyperelliptic curves to provide larger group 



orders. Therefore constructions of hyperelliptic curves are interesting. The CM 
method for elli_gtic curves has been generalized to hyperelliptic c urves o f genu s two 
bv S pallek (1 993), a nd efficient algorithms have been proposed by Weng 1 200^ and 



[Caudrv et al ()2005h 



Both algorithms take as input a primitive, quartic CM field K (see section [3] for 
the definition of a CM field), and give as output a hyperelliptic genus two curve C 
defined over a prime field Fp. A prime number p is chosen such that p = xx for a 
number x € Ok, where Dk is the ring of integers of K. We have K = Q{rj) and 
n K = Q(/D), where r] = iy^a + 6^ and 

fii^^, if £1 = 1 mod 4, 
if D = 2,3 mod 4. 

In this paper, the following theorem is established. 

Theorem 1. Let C be a hyperelliptic curve of genus two defined over Fp with 
End(C) ~ Ok, where K is a primitive, quartic CM field as defined in definitions^ 
Assume that the p-power Frobenius under this isomorphism is given by the number 
u) = ci + C2S, + (c3 + C4^)rj, where ^ and rj are given as above and Ci e Z. Consider 
a prime number £ \ \3ci^p)\ with £ ^ p, I \ D and i \ C2. Assume that the t-Sylow 
subgroup of 3c{^p) is not cyclic. Then p = I mod £, i.e. the embedding degree of 
3c (Fp) with respect to I is one. 
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2. Hyperelliptic curves 



A hyperelliptic curve is a smooth, projective curve C C P" of genus at least 
two with a separable, degree two morphism (j) : C ^ P^. Let C be a hyperelliptic 
curve of genus two defined over a prime field Fp of characteristic p > 2. By the 
Riemann-Roch theorem there exists an embedding ip : C ^ F'^, mapping C to a 
curve given by an equation of the form 

wher e / S Vp[x] is of degree six and have no multiple roots fsee lCassels and Flvnnl . 
1996I . chapter 1). 

The set of principal divisors J'(C) on C constitutes a subgroup of the degree 
divisors Divo(C). The Jacobian dc of C is defined as the quotient 

ac =Divo(C)/3'(C). 

Let £ phe a prime num ber. The ^" -torsion subgroup dc[^"'] < 3c of elements of 
order dividing is then ijLan 

3, Il959t theorem 6, p. 109) 

(1) 3c[n - z/rz X z/rz X z/rz x z/rz, 

i.e. ac[^"] is a Z/rZ-module of rank four. 

The order of p modulo i plays an important role in cryptography. 

Definition 2 (Embedding degree). Consider a prime number £ dividing the order 
oi3c'{Fp), where £ is different from p. The embedding degree oiSci^p) with respect 
to £ is the least number k, such that p'^ = 1 mod £. 



An endomorphism (p : 3c 



-> 3c induces a Z^-linear map 



on the £-adic Tate-module Ti{3c) of 3c I Langl . [l959l chapter VII, §1). The map 
(fe is given by (p as described in the following diagram: 

in 



■3c[e" 



■3c[i' 



•n+l] 



■3c 



■3c 



Here, the horizontal maps [£] are the multipHcation-by-i? map. Hence, Lp is repre- 
sented by a matrix M £ M at4x4(Z/£Z) on 3c[£]- Let P{X) € Z[X] be the charac- 
teristic polynomial of cp (see Lang . 1959I . pp. 109-110), and let Pm{X) g (Z/£Z)\X] 
be the characteristic polynomial of the restriction of ip to 3c[P\- Then ( Lang . 19591 
theorem 3, p. 186) 

(2) P{X) EE Pm{X) mod £. 

Since C is defined over Fp, the mapping {x,y) {xP,yP) is an isogeny on C. 
This isogeny induces the p-power Frobenius endomorphism on the J acobian 3c- 
The characteristic polynomial P{X) of (p i s of degree fo ur ijTatd . [ 196d theorem 2, 
p. 140), and by the definition of P{X) fsee iLangl . 1l959l . pp. 109-110), 

|gc(Fp)| = P(i), 

i.e. the number of Fp-rational elements of the Jacobian is determined by P{X). 
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3. CM FIELDS 

An elliptic curve E with Z ^ End(i?) is said to have complex multiplication. Let 
K be an imaginary, quadratic number field with ring of integers D^. if is a CM 
field, and if End(£^) ~ Dx, then E is said to have CM by Ok- More generally a 
CM field is defined as follows. 

Definition 3 (CM field) . A number field if is a CM field, if if is a totally imaginary, 
quadratic extension of a totally real number field ifo- 

In this paper only CM fields of degree [K : Q] ~ i are considered. Such a field 
is called a quartic CM field. 

Remark 4. Consider a quartic CM field K. Let ifo = if n M be the real subfield 
of if. Then ifo is a real, quadratic number field, ifo — Q{^/D). By a basic result 
on quadratic number fields, the ring of integers of ifo is given by Okq — ^ + C^, 
where 



'i±^, ifD = l mod 4, 
y/I), if £1 = 2, 3 mod 4. 



Since if is a totally imaginary, quadratic extension of ifo, a number r] £ K exists, 
such that K — Koii]), ff e ifo. The number rj is totally imaginary, and we may 
assume that rj — irjo, rjQ e E. Furthermore we may assume that —77^ G Ok,,', so 
rj = i\/a + b^, where a,b Elt. 

Let C be a hyperelliptic curve of genus two. Then C is said to have CM by Ok, 
if End(C) ~ Ok- The structure of if determines whether C is irreducible. More 
precisely, the following theorem holds. 

Theorem 5. Let C be a hyperelliptic curve of genus two with End(C) ~ Ok, where 
K is a quartic CM field. Then C is reducible if, and only if, if/ Q is Galois with 
Galois group Gal(if/Q) ~ Z/2Z x Z/2Z. 



Proof. ( Shimural . ll998l proposition 26. p. 61). □ 



Theorem [5] motivates the following definition. 

Definition 6 (Primitive, quartic CM field). A quartic CM field if is called primi- 
tive if either if/Q is not Galois, or if/Q is Galois with cyclic Galois group. 

The CM method for constructi ng curves of g enus two with prescribed endomor 



ine LyiVl metnod tor constructi ng curves 01 g enus two witn prescribed endomor- 
phism ring is described in detail by WengI (2003) and Gaudrv et al ( 2005 ). In short 



the CM method is based on the construction of the class polynomials of a primitive, 
quartic CM field if with real subfield ifo of class number /i(ifo) = 1- The prime 
numb er p has to be chosen such that p = xx for a number x £ Ok- By WengI 
( 2003h we may assume that x £ Oko + V^Ko- 



4. Properties of 8c{^p) 

Consider a primitive, quartic CM field if with real subfield ifo of class number 
h{Kt)) = 1, and let p be an uneven prime number such that p = xx for a number 
X £ Oko + V^Ko- The main result of this paper, given by the following theorem, 
concerns a curve of genus two with Ok as endomorphism ring. 
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Theorem 7. With the notation as in remark\^ let C be a hyperelliptic curve of 
genus two defined over ¥p with End(C) ~ £>k- Assume that the p-power Frohenius 
under this isomorphism is given by the number uj = ci + C2^ + (ca + 04^)77, where 
Ci e Z. Consider a prime number £ \ \3ci¥p)\ with £ p, i \ D and £ \ C2. Assume 
that the £-Sylow subgroup of Sc'i^p) is not cyclic. Then p = 1 mod £, i.e. the 
embedding degree ofSci^p) with respect to £ is one. 

Proof. Consider a prime number ^ I |3c(lFp)| with £ |pc2D. If £ = 2, then obviously 
p=l mod £. Hence we may assume that £ ^ 2. Assume that the -^-Sylow subgroup 
S of cJc(lFp) is not cydic. Then S contains a subgroup U ~ (Z/^Z)^. So 

(Z/«)2 <ac'(Fp)[f] <3c[^]. 

Let {61,62} C 'Sc^^p) be a basis of (Z/i!Z)^. Expand by the isomorphism |(T]) this 
set to a basis {61, 62, /i, /2} of 3c[-^]- It then follows that 1 is an eigenvalue of the 
Frobenius with eigenvectors ei and 62, i.e. 1 is an eigenvalue of multiphcity at least 
two. 

First we assume that D = 2,3 mod £. Let P{X) be the characteristic polyno- 
mial of the Frobenius. Since the conjugates of uj are given by loi = uj, uj2 = lji, uj^ 
and UJ4 — UJ3, where 




it follows that 

4 

P{X) = Y[{X ~ UJ,) ^X^- 4ciX3 + (2p + 4(6^ - clD))X'^ ~ AcipX + p^ . 
1=1 

Since 1 is an eigenvalue of the Frobenius of multiplicity at least two, the characte- 
ristic polynomial P{X) is divisible by {X — 1)^ modulo £. Now, 

P{X)^Q{X)-{X-lf + R{X), 

where 

R{X) ^ 4(1 - 3ci - (ci - l)p + 2{cl - clD))X 
+ p^ -2p- 4(c? - clD) + 8ei - 3. 
Since R{X) = mod £, it follows that 

(3) 1 -3ci - (ci - l)p-F2(c? - c^D) = modi 
Since \2ci¥p)\ = ^'(1), we know that 

(4) {p + if - Aclip + 1) + A{cl ~ clD) = mod^. 

By equation ([3]) we see that 4(6^ — 62-0) = 2(ei — — 2 + 6ci mod £. Substituting 
this into equation |[4]) we get 

{p + i f - 461 (p + 1) + 2(ci - l)p - 2 + 6ei EE mod £; 

so either p = I mod £ or p= 2c\ — 1 mod £. Assume p = 2c\ — 1 mod £. Then 

R(X) = 4:clD{~2X + 1) = mod £. 

Since £ \ 2e2-D, this is a contradiction. So if = 2, 3 mod 4, then p = I mod £. 
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Now consider the case D = 1 mod 4. We now have 

W3 = ci +C2 ^ hi I C3 + C4 ^ I ya + b , 

and it follows that the characteristic polynomial of the Frobenius is given by 

P{X) =X'^- 2cX^ + {2p + - cld)X^ - 2pcX + , 
where c = 2ci + C2. We see that P{X) = Q{X){X - if + R{X), where 
R{X) = ((4 - 2c)p + - 6c - 2c^D + 4)X 
+ p2 - 2p - 3 + 4c - + clD. 
Since R{X) = mod ^, it follows that 

(5) p2 - 2p - 3 + 4c - c^ + c^Z? = mod 
and since |tJc(]Fp)| — -P(l), we know that 

(6) (p+ 1)^ - 2c(p+ 1) + c^ - c^D = mod£. 
From equation ^ and @ it follows that 

p^ — cp + c— \ = Q mod I, 
i.e. p = 1 mod I or p= c — \ mod £. Assume p = c — 1 mod £. Then 

= c^i:i(-2X + 1) = mod £, 
again a contradiction. So if D = 1 mod 4, then p = 1 mod ^. □ 

Consider the case (. \ 02- Then the characteristic polynomial of the Frobenius 
modulo t is given by 

P{X) = {X^ - 2ciX + p)2 mod e, 
independently of the remainder of D modulo 4. Observe that 

X'^ - 2ciX+p^ (X + 1 - 2ci)(X - 1) 2ci + 1. 

Hence, p = 2ci — 1 mod i.e. 

P{X) = {X-lf{X~pf mod£. 
So the following theorem holds. 

Theorem 8. With the notation as in remark\^ let C he a hyperelliptic curve of 
genus two defined over ¥p with End(C) ~ Ok- Assume that the p-power Frobenius 
under this isomorphism is given by the number uj = ci + C2^ + (C3 + C4£,)r], where 
Ci e Z. Consider a prime number £ \ \3ci^p)\ "with £ ^ p, £ \ C2. Assume that the 
£-Sylow subgroup of 3c{^p) is not cyclic. Then either 

(1) SciVpW] ^ or 

(2) p=l mod £ and 3c(Vp)[£] = 2c[£]- 

Proof. If p ^ 1 mod £, then 1 is not an eigenvalue of the Frobenius of multiplicity 
three, i.e. 3c(]Fp)[^] — (Z/i?Z)^. If p = 1 mod £, then 1 is an eigenvalue of the 
Frobenius of multipHcity four, i.e. 3c(]Fp)[^] = dc[^]- ^ 
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5. Applications 

Let C be a hyperelliptic curve of genus two defined over ¥p with End(C) ~ Dk- 
Write 

(7) 3c(Fp) ~ Z/mZ X Z/n2Z x Z/naZ x Z/n4Z, 

where m \ n^+i and n2 | p— 1 (see Frev and Langd . 2Q06I . proposition 5.78, p. 111). 



We recall the following result on the prime divisors of the number n2 ■ 

Theorem 9. With the notion as above, let £ \ n2 be an odd prime number. Then 
i < Q, where 

Q = max{a, D, - b'^D}, 
if D = 2,3 mod 4, and 

Q = max{a, D, 4a(a + b) ~ b'^{D - l),aD + 2b{D - 1)}, 

if D = 1 mod 4. If £ > D, then ci = 1 mod £ and C2 = mod £. 

Proof iRavnsheiil ()2007ah . □ 

Let the Frobenius be given by the number a; = ci + + (c3 + £4^)77, a E Z, 
and consider a prime number £ \ \dc(¥p)\, £ 7^ P- 

Corollary 1. If £ \ C2 and £ > Q, then the £-Sylow subgroup S of 3c{^p) is either 
of rank two and p= I mod £, or S is cyclic. 

Bv lRavnstioill|2007b[ ). if p = 1 mod £, then there exists an efEcient, probabilistic 
algorithm to determine generators of the ^-Sylow subgroup of Sc'i^p)- Hence the 
following corollary holds. 

Corollary 2. If £ \ D and £ \ C2, then there exists an efficient, probabilistic algo- 
rithm to determine generators of the £-Sylow subgroup S of3c{^p)- 

Proof. If p = 1 mod £, then the corollary is given bv iRavnshoil ()2007bh . If p ^ 1 
mod £, then 5" is cyclic by theorem [7l Assume \S\ = T. Then S has r - ^""^ 
elements of order . Hence the probability that a random element a & S generates 
S" is 1 — and choosing random elements a £ S until an element of order £^ is 
found will be an efficient, probabilistic algorithm to determine generators of S. □ 
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